Subscribe to our Threatpost Today newsletter

Join thousands of people who receive the latest breaking cybersecurity news every day.

The administrator of your personal data will be Threatpost, Inc., 500 Unicorn Park, Woburn, MA 01801. Detailed information on the processing of personal data can be found in the privacy policy. In addition, you will find them in the message confirming the subscription to the newsletter.

*

*

I agree to my personal data being stored and used to receive the newsletter

*

I agree to accept information and occasional commercial offers from Threatpost partners

The administrator of your personal data will be Threatpost, Inc., 500 Unicorn Park, Woburn, MA 01801. Detailed information on the processing of personal data can be found in the privacy policy. In addition, you will find them in the message confirming the subscription to the newsletter.

GandCrab’s Rotten EGGs Hatch Ransomware in South Korea

This could mark yet another reinvention for the VenusLocker group, which has mostly been focused on cryptomining this year.

The VenusLocker group appears to be back, hatching a fresh GandCrab ransomware campaign, so to speak, using the EGG niche file type. The emails with EGG attachments are meant to specifically take aim at South Korean users.

Trend Micro researchers, who first observed the offensive campaign in early August and posted about it today, noted that the attachments are being used to deliver the GandCrab v4.3 ransomware. The firm said the rash of emails uses “e-commerce violation” lures; for instance, a common subject line reads “[Fair Trade Commission] Notice of Investigation of Violation of E-Commerce Transaction” in English.

By way of background, EGG (.egg) is a compressed archive file format that would seem exotic in most places around the globe – but in South Korea it’s the default format, much akin to ZIP files in the U.S. It was developed by a South Korean company called ESTsoft in 1999, as part of its multi-format compression utility ALZip. Even now, EGG files can only be uncompressed using the ALZip tool.

“Many South Korean users might find it odd if an archived file was sent to them by a friend or colleague in an archive file format other than .EGG,” said independent security researcher Graham Cluley.

Trend Micro researcher Donald Castillo in a post Monday cited further evidence that the operators behind the spam are specifically going after South Korean users: The use of the specifically South Korean alphabet, Hangul, in the spam mails’ subject, body and filename attachment.

In the Trend Micro analysis of the campaign, the EGGs are most definitely rotten, filled with three files bent on malicious intent. There are two shortcut .lnk files that are disguised to appear as documents, and an executable that disappears once the user decompresses the EGG file. The hidden executable carries the GandCrab payload; it unpacks once a user clicks on either one of the two files that purport to be the documents.

“This is an example of the shift of ransomware actors moving to more targeted campaigns than the traditional ‘spray-and-pray’ technique used in the past,” said Trend Micro’s Jon Clay, director of global threat communications, told Threatpost. “Utilizing phishing email techniques that use multiple files, hidden files and a unique, and interesting subject to entice the victims into clicking on the weaponized attachments allow the threat actors behind this campaign to likely improve their infection rates.”

As for attribution, “Within the .lnk files, ‘VenusLocker_korean.exe’ is inscribed, which could mean that the VenusLocker group was behind the distribution of spam mails,” said Castillo. VenusLocker also has been spotted in the past using EGG archives, as well as the same hidden-file technique and two decoy shortcut files.

That said, Clay said that a different group could be using the file name and the VenusLocker approach as a smokescreen to throw off any investigators.

If VenusLocker is indeed the threat actor, it would mark yet another reinvention for the group. VenusLocker has a long history of targeting South Korean users via phishing campaigns, usually distributing its own proprietary ransomware. Last December, however, it was observed changing tactics, following broader trends in the threat landscape to ditch ransomware for cryptomining. In that campaign, it went after users to implant Monero mining malware.

Switching back to ransomware now also follows global trends: Data from Trend Micro shows that GandCrab was the second-highest detected ransomware family globally from March to July 2018, despite its command-and-control servers being seized by Romanian Police and Europol in March.

The criminals behind GandCrab quickly tweaked the malware after the takedown to keep ransomware payments coming in; the group has been staying profitable and staying one-step ahead of white hats by adopting a unique, highly agile malware development approach.

In any event, the attack is notable because it “reinforces the recent change we’ve seen whereby ransomware actors have shifted to more targeted, socially engineered email campaigns to improve their infection rates,” said Clay.

Authors

Threatpost

InfoSec Insider Post

InfoSec Insider content is written by a trusted community of Threatpost cybersecurity subject matter experts. Each contribution has a goal of bringing a unique voice to important cybersecurity topics. Content strives to be of the highest quality, objective and non-commercial.

Sponsored

Sponsored Post

Sponsored Content is paid for by an advertiser. Sponsored content is written and edited by members of our sponsor community. This content creates an opportunity for a sponsor to provide insight and commentary from their point-of-view directly to the Threatpost audience. The Threatpost editorial team does not participate in the writing or editing of Sponsored Content.